Control: tags -1 moreinfo On 2025-05-25 21:31:33 +0200, Marc Haber wrote: > Package: release.debian.org > Severity: normal > X-Debbugs-Cc: a...@packages.debian.org > Control: affects -1 + src:atop > User: release.debian....@packages.debian.org > Usertags: unblock > > Hi, > > the atop upstream has added robustness patches to atop 2.11.1: They have > replaced all instances of sprintf in the code with snprintf calls, and > they have identified and fixed a buffer overflow crash that only happens > on the Raspberry Pi 5 (which Debian doesn't officially support then). I > think that Debian downstreams such as Raspberry Pi OS will profit from > thie change though. > > https://salsa.debian.org/debian/atop/-/tree/mh/wip-security/debian/patches?ref_type=heads > > show three new patches in quilt format > with 0016-replace-sprintf-with-snprintf.patch being all straightforward > sprintf/snprintf changes, > 0017-new-parameter-for-formatr_bandw-to-get-rid-of-sprint.patch being a new > prototype for the format_bandw function, giving more information into > the function for a sprintf/snprintf conversion and > 0018-fix-buffer-overflow-crash-on-Raspberry-Pi-5-fake-NUM.patch being the fake > NUMA patch for the Raspi 5. > > These three patches will bring a future atop 2.11.1-3 to the same code > base as the 2.11.2 upstream version that upstream will release shortly. > > Please indicate whether you would be willing to pre-approve either a > 2.11.2-1 with the new upstream version, or a 2.11.1-3 with an arbitrary > subset of the three patches I have prepared.
If it's the same codebase anyway, uploading the new upstream release as 2.11.2-1 would better reflect the situation. But if you want a definite answer, please provide debdiffs of both cases Cheers > > [ Reason ] > The sprintf/snprintf changes will obviously increase the atop's > security, and the fake NUMA patch will make atop work on the Raspberry > Pi 5 when Rasperry Pi OS will pull the package from trixie instead of > immediatly segfaulting. > > [ Impact ] > Reduced security for all systems, package ununseable on Raspi 5 > > [ Tests ] > I can only check manually whether the package works. Sadly, the atop > package does only have superficial autopkgtests since I don't have a > clue how to test a package that is interactive and does automated things > at midnigh. > > [ Risks ] > atop is a leaf package, nothing depends on it, only the hollywood > package (a gag package itself) Recommends it, there are numerous > alternatives (htop, btop, top etc) available. > > [ Checklist ] > Will fill the checklist out once pre-approval is given and it was > decided how to proceed > > Thanks for your consideration. atop upstream has been extremely helpful > in the last months, they are a real pleasure to cooperate with. I would > love to have their latest security patches in trixie if just to be nice > to them. > > Greetings > Marc > -- Sebastian Ramacher
